Presented on May 21, 2017 at CarolinaCon (https://www.carolinacon.org). This talk will provide a light intro to honeypots and their benefits, and highlight two projects HoneyPy and HoneyDB. Operating honeypot sensors on your internal network is a simple way to make your network “noisy” and can trip up malicious actors that have already penetrated your network. Also, leveraging data from honeypot sensors on the Internet can be a useful source of threat information.
6. Honeypots Overview
A computer configured to look like a legit system on the network, but its real
purpose is to discover and/or track attackers.
Types of Honeypots:
● Production
● Research
● Hobbyist
Honeypot interaction tiers:
● Low - emulated services, limited to no emulated login capability (low risk).
● Medium - emulated services, emulated login, emulated commands.
● High - Actual services, system logins, and commands (very risky).
CarolinaCon 13
7. Intro to honeypots
Production honeypots have are computers on the network that have no legitimate
business purpose and should never see any traffic, unless…
● Something is misconfigured on the network
● Someone is malicious on the network
Honeypot logs are low volume and high value
Make your network noisy
https://www.youtube.com/watch?v=FFJ_3GbOfi0&t=5m50s
CarolinaCon 13
8. Intro to honeypots
Research honeypots can have many purposes, just depends on what you are
researching.
● Identify sources of malicious traffic
● Discover malware, botnets, c&c servers.
● Attacker techniques & tools
CarolinaCon 13
9. Andrew Morris
Checkout talk from ShmooCon 2015…
No Budget Threat Intelligence - Tracking Malware Campaigns on the Cheap
https://www.youtube.com/watch?v=DKfWukYffsE
CarolinaCon 13
Andrew Morris ( @Andrew___Morris) , now at Endgame.
Great talk
- Reversing malware
- Uncovering c2 servers
- Uncovering imminent ddos attacks
16. HoneyPy
● Low to medium interaction honeypot
● Plugin based to implement various network services (tcp or udp based).
● Written in Python
CarolinaCon 13
17. HoneyPy
Why create HoneyPy?
● Wanted a simple honeypot that can be easily extended
● Wanted a project to do more Python
CarolinaCon 13
22. HoneyPy Additional Deployment Options
● Docker, because docker all the things...
○ https://github.com/foospidy/HoneyPy-Docker
● Raspberry Pi, because raspberry pi all the things...
○ https://github.com/foospidy/HoneyPyPi
○ Demos
■ https://asciinema.org/a/4814e766bqsgbdohcxandtvqc
■ https://asciinema.org/a/6erwn2n4w5jgjm5d2bvoontfv
CarolinaCon 13
23. HoneyPy, What’s Next?
● More plugins
● Enhance plugins
● More Integrations
Or...
you come up with what’s next!
Pull requests are welcome,
please contribute :-) Bug fixes wanted --->
CarolinaCon 13
24. HoneyDB
Web site for viewing and
accessing honeypot data.
Activity charts, session details,
and ThreatBin.
https://riskdiscovery.com/honeydb
CarolinaCon 13
25. HoneyDB, What’s Next?
● More data graphs (Twitter data)
● More API endpoints
● More Integrations with other threat info or “intel”
Oh… and then there’s this...
CarolinaCon 13
26. Honeypots as a Service - you have to HaaS it!
HONEYPOTS
AS A
SERVICE!
CarolinaCon 13
27. Honeypots as a Service - you have to HaaS it!
DEMO! CarolinaCon 13
28. References
Blog post, HoneyPy getting started series.
Good books:
Honeynet Project
● https://www.honeynet.org
CarolinaCon 13